In Active Directory (AD) environments, the Windows Data Protection API (DPAPI) ensures that sensitive information such as passwords, certificates or browser login data is reliably protected - without developers having to implement their own encryption logic [1]. A central element of this system is the DPAPI Domain Backup Key.
What is the DPAPI Domain Backup Key?
The DPAPI Domain Backup Key is an asymmetric key pair that Windows generates when a new AD domain is created [2]. This domain backup key acts as a universal "recovery key" for DPAPI: It can decrypt any DPAPI secret in the domain by removing the user-specific master key encryption if the user password is not available [3][4].
In fact, the DPAPI backup key is a master key for all DPAPI-protected domain secrets - intended for password recovery scenarios. Due to its scope, it is one of the most sensitive secrets in Active Directory and requires consistent protection from domain administrators [5].
This report highlights unsupported, community-developed methods to reset or replace this key from a defensive and recovery perspective and explains why compromising the DPAPI backup key is so dangerous.
We also discuss limitations and risks of these unofficial approaches, compare countermeasures and give recommendations for defenders (e.g. managed security service providers) who suspect a compromise of the DPAPI backup key.
All sources cited are authoritative security documentation, research blogs or vendor notes; a complete source overview follows below.
Within an AD domain, each account has one or more DPAPI Master Keys - symmetric keys derived from the login password - which are used to protect the sensitive data blobs of that account [6][7]. If users change or forget their password, the DPAPI data encrypted with the old, password-based key would be inaccessible.
To prevent irreversible data loss, Microsoft has designed DPAPI in such a way that each master key is additionally encrypted with a domain-wide backup public key and its associated private key is stored in AD [3][8]. This DPAPI Domain Backup Key - also called DPAPI Domain Recovery Key - is an RSA key pair in the container CN=System of the AD database (as secret objects BCKUPKEY_PREFERRED, BCKUPKEY_P and BCKUPKEY_<GUID>) [9]. It is created once during domain creation and is never automatically changed or rotated - for the entire lifetime of the domain [10].
In practice, this means that whenever DPAPI protects a secret for a domain account, Windows creates a master key file that is encrypted with the account's current password. At the same time, DPAPI encrypts a copy of this master key with the domain-wide backup public key [11]. If the password is later reset - by the account or administratively - Windows can retrieve the master key using the backup private key stored in AD, decrypt the DPAPI secret and then protect it again using a new master key derived from the new password [12].
This ensures data recovery across password changes.
Implication: Anyone who obtains the domain-wide backup private key can decrypt DPAPI-protected data from any account in the domain - even after password changes [13].
Warning: This is precisely why Microsoft urgently warns users to protect the RSA key pair - the DPAPI recovery key - with the utmost care and to keep it strictly under lock and key [5].
"Microsoft expressly points out that the DPAPI recovery key must be treated like crown jewels!"
A stolen DPAPI backup key effectively provides attackers with a master decryption key for all protected secrets in the domain [4][14]. Because every DPAPI-encrypted blob (credentials, tokens, files, etc.) ultimately relies on this backup key as a fallback, cyberattackers can use the exfiltrated private key material to decrypt an enormous range of sensitive data across the environment.
Examples: The backup key and a master key of an account can be used to open stored passwords in the Windows Credential Manager, browser logins and cookies, Outlook and WLAN passwords, RDP credentials, VPN keys, certificate private keys, BitLocker recovery keys, cloud access tokens and much more [15][16].
In short, every DPAPI-protected secret of every domain account becomes readable [14][17]. This is why the DPAPI backup key is often referred to as "Keys to the Kingdom" in Windows environments.
A stolen DPAPI backup key signals a worst-case scenario: Highest privileges and a long-term ability to read secrets at will.
But let's analyze the scenario from its beginnings: DPAPI secrets remain permanently bound to the original backup key [18]. If this has already been stolen, attackers can decrypt all the data protected with it for any length of time - even after traditional IR measures [19].
This results in ongoing cryptographic damage: The confidentiality of the environment is broken and cannot be "repaired" by a reset, as is the case with compromised password hashes [20][21]. Microsoft therefore classifies the compromise of the DPAPI backup key as an extreme case - unlike a "normal" domain admin takeover [22][23].
"Microsoft classifies the compromise of the DPAPI backup key as an extreme case, which is far more serious than a classic domain admin takeover forced by an attacker."
The compromise also shows the level of access the attackers already had. The backup private key is located in the AD database (ntds.dit) and is accessible via specific LSA-RPC calls on domain controllers (DC) [24][25]. The theft of the backup private key almost always means that the other party had domain admin or equivalent rights on a DC [26]. At this level, attackers can change the AD at will and install additional backdoors: This makes the entire domain security questionable [27][28].
In practice, advanced hackers, once they are domain admins, immediately pull the DPAPI backup keys (e.g. via Mimikatz) as part of their persistence strategy [29][30]. Incident responders regularly observe that APT actors on DC extract "all available credential material" - including DPAPI keys [31][32].
Microsoft's guidance is clear: there are no supporting mechanisms to change or rotate the DPAPI domain backup key on existing domain controllers [33][34]. Unlike other sensitive domain secrets (e.g. regular rotation of the KRBTGT account password), the DPAPI backup key is intended to remain constant for the entire lifetime of the domain [35][36]. The reason for this is the close link to data recovery. A change would immediately prevent the decryption of historical secrets. Unless extraordinary measures are taken [37].
Instead, Microsoft recommends unequivocally: If the DPAPI backup key is compromised, the only truly trustworthy solution is to set up a new domain and migrate all objects [26][38]. In other words: "Burn down the forest and start again", as the cryptographic foundation of the old domain is no longer trustworthy [39][40]. This is extremely costly and is seen as a last resort [26]. Reasoning according to Microsoft: Whoever had access to steal the backup key had your AD under control to such an extent that the directory can never be restored to a completely trustworthy state [41][42]. Group policies, hidden accounts, persistence mechanisms - many things may remain undetected [43]. "Patching" the existing domain while the master key is held by the adversary is not enough [44][45].
Microsoft does indicate that third parties could theoretically perform a rotation via the BackupKey API (MS-BKRP): The protocol documentation describes how a new backup key can be created and marked as preferred in AD [46].
However, any solution based on this is explicitly not supported [46]. Until recently, no official tools existed and the predominant recommendation remained domain migration [39]. The "nuke-from-orbit" approach emphasizes the severity of a DPAPI backup key leak - it is not a normal incident, but a fundamental cryptographic compromise.
Despite Microsoft's stance, the community explored unsupported ways to rotate or replace the DPAPI backup key - driven by the practical impossibility of a complete reset for large organizations. This has resulted in several third-party tools and techniques that introduce a new backup key into the domain. Effectively, the key material used in the future is changed, while the old key is retained for decrypting historical data.
DSInternals PowerShell & Custom Scripts: The open source toolkit DSInternals exposes low-level AD functionalities (including LSA secrets and backup keys) [47]. It can retrieve DPAPI backup keys - online via domain RPC or offline from ntds.dit [47].
Important: DSInternals (and similar modules) can not only retrieve existing backup private keys (e.g. Get-LsaBackupKey), but also write new secret objects to AD via the BackupKey protocol [48].
In other words: With DC access, administrators can generate a new RSA key pair, add it as BCKUPKEY_<GUID> and have BCKUPKEY_PREFERRED point to this GUID [49]. This effectively marks a new "Preferred" backup key. This is not trivial, requires careful secret manipulation in AD and usually a DC restart so that LSASS loads the new key [50][51].
In 2023, Sygnia published a detailed method and tool to securely rotate the DPAPI backup key without data loss [52][53]. Their BackupKeyManager tool operationalizes the MS-BKRP approach: It generates a new 2048-bit RSA key pair, writes it as a new secret in AD and sets it as preferred [54][55].
Essential: The old backup key is not deleted or overwritten, but remains in AD in order to decrypt older DPAPI master keys [56]. After deployment on all DCs and replication, the DCs are restarted so that LSASS uses the new preferred key for DPAPI [50]. From then on, new DPAPI secrets (e.g. after password changes) are protected with the new backup key.
Figure 1 (in the linked article) shows Sygnia sample output from a community tool that visualizes the creation of a new DPAPI backup key and setting it as preferred in AD. The utility creates a new RSA pair (with a unique GUID), loads it as a secret in CN=System and updates BCKUPKEY_PREFERRED. The tool then recommends restarting all DCs for the change to take full effect [57].
"Forcing" clients to use the new key: Introducing a new backup key on the server side is only half the battle. Existing workstations or user profiles have cached the old backup public key (file BK-<domain>-<GUID> in the profile). By default, an account only retrieves the new key when its current DPAPI master key expires (up to 90 days) [58][59].
To speed things up, Sygnia provides a PowerShell onboarding script (rollout via GPO, logon script, Intune etc.), which in the user context (1) renames the old BK file, (2) artificially expires the current master key and (3) triggers DPAPI to generate a new master key [60][61][62][63].
When the new master key is generated, the old BK file is missing; DPAPI then pulls the current backup public key from the domain and encrypts the master key with it [64]. In this way, future secrets are bound to the new backup key. Old master keys remain decryptable via the old key - therefore the old key must never be removed [65]. Sygnia provides script and guidance in the open source repo for the BackupKeyManager [66].
Theoretically, rotation can also take place via direct editing of AD secrets or via the domain replication protocol. Teams sometimes use DCSync (DRSUAPI) to pull or push backup key information. Hackers in turn extract backup keys via LSARPC (Mimikatz lsadump::backupkeys, SharpDPAPI), via DCSync or by stealing the entire ntds.dit with subsequent offline parsing [67][68].
Security managers who want to rotate must bear in mind that the same mechanisms could be misused by attackers. Any manual or program-controlled key generation touches highly critical AD paths - inherently risky.
"If you want to rotate the DPAPI backup key, you should never forget: The same mechanisms are also open to attackers."
Important: All of these procedures are unofficial and entail potential complications. However, they show that rotating the DPAPI backup key in a running domain is technically possible today, although it was long considered impossible. The aim: to deprive the other party of the ability to decrypt new secrets indefinitely in future - without the "atomic option" of a complete AD reset.
Any approach outside of the official Microsoft guidance has substantial limitations or risks.
For example: Adding a new backup key does not retroactively protect existing secrets. All DPAPI master keys and data blobs created before the rotation remain encrypted with the old, compromised key [69][70]. Anyone who has the old key can decrypt all historical data. Rotation only protects new data (from rotation). In addition, attackers may have already captured numerous master keys - these remain valid for the data assigned to them [71][72].
A complete clean-up would only be possible if every DPAPI blob in the entire environment could be decrypted and then re-encrypted - an undertaking that is almost impossible to realize in large networks [73]. Rotation is therefore limited in time and does not undo the past [74].
If the process is carried out incorrectly or the old key is lost, permanent data loss can occur [56]. Overwriting instead of replacing the old key would be catastrophic. Interventions in low-level secrets are tricky: Partial failures, replication problems, necessary DC restarts [75] or inconsistent states are among the typical risks. Legacy systems could handle the scenario poorly.
On the server side, all domain controllers must be equipped with the new key, while on the client side, all accounts and endpoints must undergo onboarding [60][76]. If off-network devices or rarely used service accounts are not taken into account, they will continue to use the old keys. Without forcing, the natural changeover can take a long time due to the 90-day cycle [59]. Orchestration, automation and monitoring are complex [77].
A rotation does not eliminate other backdoors such as golden tickets, rogue DC objects, manipulated admins, DC rootkits). If the attackers already had domain admin rights, the domain may remain unreliable [78][43]. This is a key point, which is why Microsoft recommends a complete rebuild [28][79].
In short, unofficial DPAPI key resets are "unsupported" for good reason: they are complex, risky and do not heal the past [69][70]. As a bridging measure, however, they can limit the damage for the future - a useful tool, but not a panacea.
In the event of a confirmed or suspected compromise, there are three options to choose from:
An AD forest recovery (restore of "clean" backups) can be performed between main path 1 and 3 - but only makes sense if the uncompromised point in time is certain. As the DPAPI backup key is the same from the start, a recovery would typically not change it.
Main path 2 is a middle way: protect future data without rebuilding the entire AD - with clear trade-offs.
Conclusion - Option 1 is and remains the complete solution, albeit at great expense.
"Domain admin breach = DPAPI key breach. Until proven otherwise."
In the case of DC access, key theft is likely [29][85]. Therefore, the following equation applies until complete proof to the contrary: Domain Admin Breach = DPAPI Key Breach.
After a compromise, consistent action counts: It is crucial to stabilize the environment, gradually restore trust and identify future attacks at an early stage.
These five steps are crucial after a breach:
The DPAPI domain backup key symbolizes trust in cryptography - and the risk if this trust is broken. Its compromise is one of the most complex security events in Active Directory environments.
But even if there is no easy way back to a completely trustworthy state, there is still room for maneuver:
Organizations that rely on clear processes, human experience and technological precision remain in control even in an emergency and create the basis for sustainable cyber resilience.
With InfoGuard at your side, you can secure your Active Directory holistically - from detection and defense to the restoration of cryptographic integrity.
Contact us- in our ISO 27001-certified Cyber Defense Center, we monitor your IT infrastructure around the clock, detect anomalies in real time and respond immediately to threats. Our highly qualified experts will be happy to advise you and are always there for you.
Sources:
________________________________________
[1] [8] [50] [51] [52] [53] [54] [55] [56] [57] [58] [59] [60] [61] [62] [63] [64] [65] [66] [75] [76] [77] [80] [82] [83] What is DPAPI: Unveiling the Decline of a Top Secret Weapon
https://www.sygnia.co/blog/the-downfall-of-dpapis-top-secret-weapon/
[2] [3] [5] [9] [10] [12] [13] [26] [27] [33] [37] [46] [103] DPAPI backup keys on Active Directory domain controllers - Win32 apps | Microsoft Learn
https://learn.microsoft.com/en-us/windows/win32/seccng/cng-dpapi-backup-keys-on-ad-domain-controllers
[4] [6] [7] [11] [14] [28] [39] [40] [41] [42] [43] [70] [71] [72] [73] [78] [79] [111] [112] DPAPI Backup Key Compromise Pt. 1: Some Forests Must Burn - SpecterOps
https://specterops.io/blog/2025/07/28/dpapi-backup-key-compromise-pt-1-some-forests-must-burn/
[15] [16] [17] [18] [19] [20] [21] [22] [23] [29] [30] [31] [32] [34] [38] [44] [45] [48] [49] [69] [74] [81] [84] [85] [97] [98] [99] [100] [101] [102] [108] [109] [110] Critical Confusion: Why Most IT Professionals Misunderstand Microsoft's Domain Compromise Recovery Guidance | SANS Institute
https://www.sans.org/blog/critical-confusion-why-most-it-professionals-misunderstand-microsofts-domain-compromise-recovery-guidance
[24] [25] [67] [68] [86] [87] [88] [89] [90] [91] [95] [96] [104] [105] Detecting DPAPI Backup Key Theft | DSInternals
https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
[35] [36] [113] DPAPI backup key : r/activedirectory
https://www.reddit.com/r/activedirectory/comments/1eql0xm/dpapi_backup_key/
[47] GitHub - MichaelGrafnetter/DSInternals: Directory Services Internals (DSInternals) PowerShell Module and Framework
https://github.com/MichaelGrafnetter/DSInternals
[92] [93] [94] [106] [107] Creation or Modification of Domain Backup DPAPI private key | Elastic Security [8.19] | Elastic
https://www.elastic.co/guide/en/security/8.19/creation-or-modification-of-domain-backup-dpapi-private-key.html
Caption: Image generated with AI